Bug Bounty Program at AADS

The security of our operations is our highest priority for many reasons:

• We're dealing with our clients' money.
• We must protect our partners' privacy.
• We have our reputation at stake.

Whether you are a professional security researcher or a beginner, we welcome your security reports. However, we'd love them to be valuable and actionable. That's why we have specific recommendations in their regard.

Security report guidelines

• Please provide the information on how the vulnerability you've discovered might be used theoretically and practically, its impact, and all the pertinent details.
• Please provide the exact steps on how the vulnerability can be exploited and how we can reproduce the issue ourselves. We'd love to see the demonstration of the attack, which will not affect our existing users. You may create as many test user accounts as you need.
• Please submit the bug report via our support channels (email or web site widget) only after you've verified that the bug exists.
• Use whatever language you prefer if you don't feel comfortable writing in English.
• Please remember that we don't reward you for the already known vulnerabilities listed below. We are leaving the monetary reward you'll get for your report to our discretion. The reward will be paid in USDT.
• "Vulnerabilities" that affect or are present on other major websites will not be rewarded.

Also, suppose you're a security researcher reading this information. In that case, we'd like to draw your attention to the fact that our SPF record is valid, and we do not deem account deletion a security vulnerability.

We welcome you to help us find flaws in our code by clicking the "Report a bug" button at the bottom of our website.

Known and other issues we will not reward for:

• A missing DNS CAA record; SPF/DKIM/DMARC misconfigurations without proven exploitability
• HTTP security headers-related issues (unless demonstrably exploitable)
• Passwords sent in plaintext to users via email
• Disclosure of information about publishers' sites or advertisers' campaigns that is already public
• Publicly reachable server IP addresses
• Ability to terminate another user's browser session
• "Ticket Trick" style vulnerability
• Presence of JPEG EXIF metadata
• Ability to access previously viewed pages via the browser's Back button after logout
• Exposure of software version information unless it enables a viable exploit
• API rate-limit weaknesses
• HTTP header injection or forgery on endpoints protected by TLS
• Ability to confirm whether an email address is already registered
• Potential misuse of the click.a-ads.com redirection domain
• Attacks requiring full compromise of a user's device or browser
• Credential compromise originating outside our systems
• Theoretical attacks without a clear, reproducible security impact
• Security best practices and old versions of software (unless you can demonstrate the existence of a security vulnerability)
• Reports based solely on automated scanners
• Missing cookie flags (Secure, HttpOnly, SameSite) unless exploitable
• DDoS or volumetric attacks

Planned security features

• Full session management
• Two-factor authentication (2FA)
• DNSSEC, TLS-RPT and MTA STS records
• Better handling of OAuth related security (email change, access termination, etc.)

Hall of fame

• 2025-06-20 Ivan Tagsa found a missing check for objects ownership in publication offers. The fix was rolled out.
• 2025-05-03 Krishna & Vicky reported that several pages of our website allowed HTML injection. The issue was fixed.
• 2025-04-20 An issue with internal infrastructure disclosure has been reported. It is under investigation.
• 2025-04-20 geekboyranjeet notified us about a CSRF vulnerability. The issue was resolved.
• 2025-04-04 Ritik Raj informed us that our CSP could be further strengthened and we rolled out a fix.
• 2025-02-11 Si13ntr311ik discovered an XSS vulnerability related to the very old code base. The fix is pending.
• 2025-01-27 NH Limon identified an issue that affected the display of certain content. While this is not a security vulnerability, we decided to will fix it regardless.
• 2025-01-13 Our own developer has found that the old user sign up form (to be removed soon) might be abused.
• 2024-12-31 Vikash Gupta solved extremely rare issue with integration with third-party authentication services: changing email does not sever the link between a third-party auth service and your account. The fix is pending.
• 2024-09-25 Our own developer has found out that Google ReCaptcha may not function properly on all web pages of our website.
• 2024-07-28 Lexa4ok was rewarded for responsibly using a third-party system to bypass Google CAPTCHA, highlighting the need for 2FA to prevent potential unauthorized access and protect user funds.
• 2024-05-01 Eslam Monex has reported a misconfigured web server which allowed to browse its internal structure. No user data or information has been compromised. The issue has been resolved.
• 2022-05-12 It's possible for the attacker to lock the user out of their session for several hours by brute forcing the user password. The fix is pending. We were first notified about the issue more than a year ago but we forgot to mention it here since it's not trivial to exploit: you need to know the victim's email address.
• 2022-04-06 Foysal Ahmed reported an XSS vulnerability which we thought we had already fixed but it resurfaced again due to massive code changes.
• 2022-03-02 Google CAPTCHA protection could be circumvented under certain conditions. Google fixed the issue on their side.
• 2022-02-12 Tushar Sharma reported that rate-limiting of certain user actions wasn't enforced under special conditions. The vulnerability is being fixed.
• 2021-11-05 A security researcher discovered that we are not properly utilizing CSRF headers under some conditions.
• 2021-11-05 Koutrouss Naddara found an AADS server which is available via HTTP as opposed to HTTPS.
• 2021-09-03 Khan Mamun (@mamunwhh) found out that we expose the NGINX version.
• 2021-09-02 Muhammad Julfikar Hyder reported that some of our internal technical data is publicly available.
• 2021-07-08 badcracker reporteded two webpages which allowed to bypass CAPTCHA protection under special conditions.
• 2021-04-06 Murimi M. reported a vulnerability that allowed to log into a user account with an access code or BTC address without solving a CAPTCHA.
• 2021-03-11 An anonymous researcher reported a vulnerability that allowed a possible takeover of an unused AADS subdomain.
• 2021-03-09 Ardyan Vicky Ramadhan reported a bug that allowed to edit other users' unlinked advertisements.
• 2021-02-16 Ardyan Vicky Ramadhan reported a bug that allowed to edit other users' campaigns.
• 2021-01-08 Ardyan Vicky Ramadhan reported that we don't rate limit certain actions which could be performed by the user.
• 2021-01-08 Ardyan Vicky Ramadhan reported a Ticket Trick vulnerability.
• 2020-11-23 Ardyan Vicky Ramadhan reported a Formula/CSV injection vulnerability which could only exploited if the attacker gains unauthorized access to our advertisers. This attack is difficult to mitigate, and explicitly disallowed from quite a few bug bounty programs.
• 2020-10-02 Ardyan Vicky Ramadhan re-reported a tab open vulnerability first discovered two years prior. It resurfaced after a major website redesign. We've adjusted our development guidelines to avoid it in the future.
• 2020-09-01 Shiraz Ali Khan reported a minor configuration issue with our email server DNS record.
• 2020-03-27 Abir Khan Hridoy reported a possible DoS vulnerability in the user email confirmation routine.
• 2019-10-24 Agung Saputra (r00t-geek) found out that some of our servers are directly exposed to the Internet.
• 2018-05-06 Ch Chakradhar (Spi3er) reported a catalog CSRF vulnerability.
• 2018-03-02 Waqar Vicky reported a number of issues and received:

1. Password reset requests are not rate limited and can be used to perform a DoS attack
2. Our jQuery library is outdated and might be insecure
3. We allow extremely weak password at user registration
4. After logging off you can use a web browser back button to see previously opened web pages
5. After changing an email address or password other open sessions and existing password reset tokens are not invalidated

• 2017-12-10 Anonymous researcher reported a session termination vulnerability.
• 2017-11-22 Anonymous researcher reported a self XSS protection vulnerability - we don't consider it to be our vulnerability, but we may take measures to mitigate it in the future.
• 2017-11-22 Anonymous researcher reported a tab open vulnerability.
• 2017-11-22 Anonymous researcher reported an SSL cookie vulnerability (investigating).
• 2017-11-21 Anonymous researcher reported a minor issue related to the email change.
• 2017-11-16 Ch Chakradhar (Spi3er) reported a minor issue which made it possible to check the existence of a user by email.
• 2017-11-08 Anonymous researcher reported a vulnerability which gave him access to our staging database and to a third-party server which we used for monitoring and control.
• 2017-11-05 Ankit Bharathan reported a low-impact XSS issue in ad preview page.
• 2017-07-04 Jens Mueller (@jensvoid) responsibly reported a CORS misconfiguration vulnerability.

Addendum, our stance on the Google CAPTCHA 2.0 Vulnerability

We've been notified that it's possible to programmatically solve Google CAPTCHA 2.0. We are reluctant to address this issue for several reasons:

• The provided attack is as difficult and time-consuming to carry as solving it, IOW it still serves its purpose.
• Literally millions of websites including Google itself still use this version of CAPTCHA.
• Google doesn't consider it to be vulnerable. No CVE, nothing. The original researcher couldn't make Google accept this as a vulnerability.
• We cannot reward for the vulnerability in the third party service. That would mean that anyone can start claiming rewards for a multitude of bugs in the Open Source software stack that we use.

Keywords: security, vulnerabilities, report, reward, bug bounty.

Updated on: 01/12/2025